Skip to content ↓ | Skip to navigation ↓

United States intelligence agencies have uncovered a data breach that targeted and compromised the  U.S. Army Corps of Engineers’ National Inventory of Dams (NID) starting back in January.

The database itself contains classified information on vulnerabilities on 8,100 dams across the United States, including rankings of hazard levels for each dam. It has been mentioned in the media that U.S. officials have made claims tracing the attack to the Chinese government, but no additional information has been provided regarding these statements.

The information from the National Inventory of Dams in the wrong hands could provide a road map for cyber attacks from a hostile state, or terrorist group to target dams, as well as disrupt the power grid.

National Inventory of Dams Map

The National Inventory of Dams data could provide attackers with information on what NERC (North America Electric Reliability Corporation) the entity for enforcing reliability, security and compliance for the bulk power system, would classify as Critical Assets (CA) and the Critical Cyber Assets (CCA)  that control them.

National Inventory of Dams Vulnerability Data

NERC’s Critical Infrastructure Protection (CIP) provides standards for cyber security that the power industry must follow to keep these assets secure ranging from continuous monitoring, security configuration management, incident detection amongst other topics. But one wonders how secure NERC CIP, or any standards hold up in real-world attacks where the adversary has a mapping of critical infrastructure and potential vulnerabilities.

Tripwire will be providing more information regarding NERC CIP in the coming months. Tripwire has a long history working with hundreds of entities not only helping with NERC audits, but also ensuring security of the electronic perimeter, and providing management of critical systems.

Here is a list of some additional educational resources regarding NERC and securing the nation’s power grid:

Hacking Point of Sale
  • Ken,

    I received the following statments from our friend Patrick Miller, Partner and Managing Principal, The Anfield Group (www.theanfieldgroup.com), who said of the matter:

    First, I haven't seen any compelling evidence (proof) that the data was breached by the Chinese military. The statements by Van Cleave are speculative at best. However it would not surprise me if this were true. China is not necessarily quiet about their stealing data, proprietary information and other useful information – but direct infrastructure attacks are not their typical approach. They usually prefer a much less confrontational method of "warfare" against their adversaries. China is currently undergoing a rather severe energy crisis of their own and may have been seeking [by any means necessary] information on hydroelectric facilities that could accelerate their their hydroelectric ambitions without having to spend the time and money on the research and development. Or they could sell the information to the highest bidder with malicious intentions. Or both. We just don't know.

    I've been asked if the NERC Critical Infrastructure Protection (CIP) standards would have protected this information leakage, and the answer is: probably not. Only certain facilities would be considered "Critical Assets" under the NERC CIP Standards. This would leave a significan portion of the list outside of the scope of required protection. Further, the degree of protection is entirely at the utility's discretion. They can simply say that they classified the entire data set as For Official Use Only (FOUO) and therefore nothing would have been different.

    The Corps of Engineers and NERC (and FERC) have an interesting history when it comes to complying with the CIP and other Reliability Standards. See http://www.troutmansandersenergyreport.com/2010/0… for additional details.

  • There is no way any regulation can stop an attack…or breach. It is the indicidual or the company that can stop or at least make an attack difficult to perform. There is nothing in the NERC CIP requirements that says you must do only this. The requirements are a guideline to follow for minimum requirements to adhereto…nothing else. If a large utility wants to do the minimum, then they deserve everything they get…including a fine. FERC/NERC have imposed tens of millions of dollars in fines and yet the industry still thinks they are OK. There needs to be a serious wak-up call thrown at the power and utility industry and until they start taking the requirements seriously, the nations power grid will be in jeopardy.

    It is hoped that the new version of the NERC CIP requirements, version 5, will assist in getting this done since they are based, in part, on the NIST 800-53 requirements. Only time will tell.